Awareness – Enough is enough

Enough is enough

And, no, I’m not talking about a song made famous by Barbra Streisand and Donna Summer 🙂

What does the word “community” mean to you ? I’d describe it is a place where everyone from all walks of life, regardless of ability and / or experience, can collectively communicate and share ideas, experiences, challenges, and so much more. According to the Cambridge Dictionary:

…..all the people who live in a particular area, or a group of people who are considered as a unit because of their shared interests or background…..

This sums it up perfectly – particularly the emphasis on “considered as a unit because of their shared interests of background”. Or does it ?

Sadly, the persistent scenario I seem to encounter myself (and I’m fairly sure that this is the general consensus across the board) is one where we are constantly sold a so-called “silver bullet” or a box filled with “blinky lights” that is touted to fix all of our problems, and keep us safe indefinitely from the ever increasing daily threats that the web (light, deep, and dark) seems to introduce on an hourly basis.

Back in “the day” (I’m revealing my age here), I would have said daily – the problem with that statement is that we’ve moved on both from the technology perspective, and the element of risk that always accompanies it. Gone are the days where you could place an unpatched PC with no firewall on the internet, and it would take a nefarious individual around a week to spot it. Today’s equivalent is more like hours – if not minutes.

The same applies to threat vectors. And not just “viruses” – you’d be unpleasantly surprised by just how many people think Viruses are Malware and vice-versa. 10-15 years ago, they were the main concern – Malware wasn’t even the worldwide threat it is today until May 2000, when Loveletter was the first high-profile profit-motivated campaign, followed on by “variants” such as the Anna Kournikova Worm, Nimda (“Admin” backwards) to today’s “modern” iterations – which, by definition, also possess modern capabilities in terms of damage potential / payload, and threat detection evasion techniques. Then, there’s the constant emphasis on phishing and social engineering attacks that are today’s mainstay in terms of convincing the user to click on a link, open an attachment, or even part with information via other medium such as SMS / fake voicemail scams. The point to all of this really boils down to one thing.

If you want people to get more involved in technology, and information security, then make it relevant to them.

Humans, despite numerous intensive training programs, seem to forget all about that same training when it comes to clicking links in malicious emails. Even something as simple as questioning the origins of that Facebook email that went to their business email address (although they don’t use their business email for that platform) – seems to elude them, and they still click the link. The clue here is awareness. Are we going far enough to educate people properly, with content that is meaningful and meets the real need, or are we taking a “foie-gras” approach of force-feeding information to satisfy an audit or regulatory requirement – in essence, a “tick in the box”. In addition, do we really follow up with those who consistently fail the same phishing test campaigns, or do we just let them carry on without addressing the issue ?

Awareness is only a small percentage of this journey. What is needed is discussion – the more fluid, the better. The problem is simplistic in the sense that its clear we are not doing enough to assist others without feeling the need to profit immensely from it. There is no single platform I have encountered during my research that is actually founded and run by Information Technology and Security professionals – nor is there one that actually wants to make a difference – in other words, create a full and active community where people aren’t afraid to ask questions without being accused of not researching something sufficiently, or to be morally degraded by a negative response from someone else who considers themselves a technology “god”. StackOverflow and Reddit are both notorious for this approach, and if people don’t feel as though they can ask questions, then what hope do we have in terms of ever reducing the human threat ?

The answer is much more complex – its difficult to actually convince people that they really need something like this. How do you convince people that they need to actively get involved in discussions concerning their own privacy, information security, protection from established and emerging threats, and identity theft ? There isn’t one single answer to any of these – none that would work in the real world anyway. However, I firmly believe that if a platform existed where you ask questions, join in discussions, express concerns, share experiences, and ultimately, share knowledge, we could arguably change the paradigm – slowly, I admit, but surely with momentum once people realise the benefits.

You may ask why I’m doing this. It’s not for profit, and never will be. It’s not to elevate or promote myself in any way – by definition, I’m a very private person, and like to keep it that way. I don’t have a Facebook or Instagram account either 🙂

I’m doing this because it needs to be done. Every day, we see another breach in the news that probably could have been avoided with relevant awareness and effective controls. Every day, we see articles in the news where people have been duped out of their life savings. Every day, the battleground gets larger, but the pool of knowledge (or those willing to share it) is shrinking. Why ?

The remit is clear. We need to do more in order to achieve more. I’ve created this platform as a way of filling this self-made void and reducing the inevitably expanding level of threat and risk. Hosted and run by an information technology and security expert, there is a wealth of knowledge waiting to be tapped into. Forewarned is forearmed, as they say. Is this a “call to arms” ? Yes, it is exactly that.

It’s a dangerous world out there full of silent “assassins” (none of them with hoodies, either) ready to steal your data, finances, and your identity.

Published by Mark Cutting

Mark Cutting is the founder of Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.
View more posts

Post navigation

Join the conversation

Mark, I think awareness is key, but it has to be relevant and current. There is no point rolling out the same annual training and it cannot be generic; it has to become personal and individual. You have to engage people and show them; stash a WiFi pineapple in the corner of the room and show all the WiFi networks it picks up AND explain how it works. I recently did a short awareness session for a local charity and took a couple of props along; a usb key logger and a WiFi Pineapple; I did not actually plug them in this instance as there was not much time, but handed them round, explained what they were and how they worked and asked everyone if they would notice one of them on their computer – which got everyone talking.Phishing is a case in point – most people, if asked, would say “I would not fall for that”, without actually taking the time to think. I talk about some of Chris Hadnagy’s examples – including the CEO spear phished with a charity email to explain how it is all linked, open source intelligence, a bit of research and a bit of time to prepare. You also have to explain some of it is luck – send out enough emails, some will get through and someone will click, which could be enough to start the attack. It is also context; I very rarely hire a car, so if I get an email from a hire car company, I am suspicious straight away, but if that same email arrives in the admin dept of a company that does use a lot of hire cars, chances are it is going to get opened. If I get a banking email from Nat West, well I don’t bank with Nat West (and never have) so that get’s deleted straight away, but if you do bank with Nat West, you are busy, or tired, or just not paying attention; click – lets see what this is…..

Mark, I think awareness is key, but it has to be relevant and current. There is no point rolling out the same annual training and it cannot be generic; it has to become personal and individual.

I agree with this – hence my point about force-feeding people content without checking periodically to ensure that they really understood – and most importantly, learnt from it. Training programs are far too rigid – not tailored, and aimed at a bulk audience rather than the individual

You have to engage people and show them; stash a WiFi pineapple in the corner of the room and show all the WiFi networks it picks up AND explain how it works. I recently did a short awareness session for a local charity and took a couple of props along; a usb key logger and a WiFi Pineapple; I did not actually plug them in this instance as there was not much time, but handed them round, explained what they were and how they worked and asked everyone if they would notice one of them on their computer – which got everyone talking.

Great ideas. I’d like to think that most (if not all) organisations lock down USB ports (as mine does), although sadly, this isn’t the case. Another plant I like is to drop a USB key outside the office, or perhaps in the rest rooms for someone else to find.

Phishing is a case in point – most people, if asked, would say “I would not fall for that”, without actually taking the time to think. I talk about some of Chris Hadnagy’s examples – including the CEO spear phished with a charity email to explain how it is all linked, open source intelligence, a bit of research and a bit of time to prepare.

You also have to explain some of it is luck – send out enough emails, some will get through and someone will click, which could be enough to start the attack.

The methodology for explanation I use is the “scatter gun” approach – a hail of bullets, but only one part of that needs to hit a target – or “a criminal only needs one…”

It is also context; I very rarely hire a car, so if I get an email from a hire car company, I am suspicious straight away, but if that same email arrives in the admin dept of a company that does use a lot of hire cars, chances are it is going to get opened. If I get a banking email from Nat West, well I don’t bank with Nat West (and never have) so that get’s deleted straight away, but if you do bank with Nat West, you are busy, or tired, or just not paying attention; click – lets see what this is…..

Exactly my point around the Facebook email I mentioned in the post. We see this increasing at an alarming rate – people really need to stop and think before they commit.